Skip to Content


The following is the AssignUserstoADGroup pass:

dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$

changetype modify

+ uniquemember %DN%$rep.$NAME%%

I am assuming dn is the User dn and %DN%$rep.$NAME%% is the group DN.

In the ProvisionADUser task is called from the Workflow how is it supposed to work. What input attribute should be given.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Jan 11, 2010 at 05:35 AM



    ToDSADirect.modEntry !ERROR:Entry does not exist

    means that its not returning the DN of the group from the Privilege in the Identity Store. Its finding an invalid entry or value and thus the SQL in sap_getGroupDN is returning the error.

    A couple of things spring to mind:

    - It uses the audit table to determine the MSKey of the user being operated on. You can check the audit table to ensure that the user you are expecting is logged against the job. If not, its not going to work.

    - It uses the repository name set for the job to determine the attribute to return. If you don't have a repository set through the task list somewhere (or directly on the job) , it won't work. Given the error you're getting, this is probably the problem. Its trying to retreive "DN<repname>" and coming back with attribute does not exist...

    Confirm that the repository is set and that the privilege for the AD Group has an appropriate DN<repname> attribute...

    Peter Wass

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Mubarak Shabna Asmi


      The SAP PF treats AD groups as privileges. As such, they should be assigned by the privilege assignment, not through user provisioning - you can do it but the SAP PF isn't set up that way. This is why its designed to do one at a time. You have to assign users to groups in AD, not groups to users.

      If I can remember the script correction (don't have it in front of me)


      - gets the audit entry of the current job

      - selects the aValue from MXIV_SENTRIES where attribute = audit entry attribute, mskey= userid and checksum = audit entry checksum

      - It gets the current repository from the job

      - The aValue is then the privilege mskey which is used to retrieve the group DN%rep.Name% from the group-privilege using getValue


      - the audit entry which started the job must reflect the assignment of the privilege

      - the repository must be correct

      If either of those are incorrect then it won't retrieve the group properly.

  • Jan 04, 2010 at 06:20 PM

    Can someone Help me with this Please.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 05, 2010 at 10:20 AM

    I'm quite sure dn is the Group-DN while %DN%$rep.$name%% is the user-DN.

    If you look at your AD with an LDAP-browser you can see that your groups have member-attributes which store the user-DNs

    The PovisionADSUser-Task is supposed to be a sub-task of ProvisionADS. Normally you don't "call" it separately.

    Sorry, but I don't really understand your problem or what you intend to do... please clarify.



    Add comment
    10|10000 characters needed characters exceeded

    • The task I was using is not a custom one. It is from the provisioning framework. I had also tried using the ProvisionAD task with exchange user creation disabled. Still same problem. I just have to figure out how the sap_gerGroupDN script works.

      Thanks for your time anyways.


  • Jan 21, 2010 at 07:46 PM

    Thanks fo all your replies. My MX_PROVISIONTASK was not properly linked. Once that was done it works.

    Add comment
    10|10000 characters needed characters exceeded